Penetration Testing

Ethical Security Testing

Commissum, as a fully accredited CREST company, delivers penetration testing services that include thorough assessment of network vulnerabilities and their potential exploitation; the resulting reports include executive level summaries as well as technical recommendations for the improvement of the security of your networks.

How vulnerable are you to a dedicated, well-resourced attack by a determined attacker?

How vulnerable are you to a passing hacking attempt by a “cyber-vandal?”

You may have unknown and undocumented points of access to the Internet

The service covers both the broad security issues exploited by automated or low level attacks as well as simulating the dedicated attacker, testing the defences at the Internet gateway and within the network

The service provides a report on vulnerabilities, the risk they pose, their impact on your business, and recommendations for remedial action

Penetration Testing Issues

This service simulates the action of dedicated attackers, testing the defences at the Internet gateway and within the network. The principle is that determined attackers will devote significant effort, and use sophisticated tools and techniques to penetrate the network.

Most commercial penetration testing services scan and test your Internet point of presence, which is your public gateway to the world wide web. These tests are useful in that they provide a “snapshot” of your current vulnerability to basic attacks. What they do not do is tell you whether you have unknown and undocumented points of access to the Internet, or how vulnerable you are to a dedicated and well-resourced hack by a determined attacker.

It is also important to check your vulnerability to a determined attack by an insider, considering that sixty to seventy percent of organisations reporting incidents have suffered internal attacks, according to reputable security surveys.

The potential impact of these security breaches is high. A professional attacker will have a specific aim, such as valuable corporate information, or attempting to effect maximum public embarrassment through defacing websites, data theft, confidential information exposure, etc.

Penetration Testing Approach

The approach builds on the basic point of presence penetration test, with the addition of more time spent on areas such as research, more analysis of the web server and applications, and vulnerability scanning within the network (behind the firewall). The internal network can also be analysed for vulnerabilities.

The phases are as follows:

Research - check publicly-available information about network addresses and IT deployment that could be of use to a potential attacker

Enumeration - scan by appointment with the organisation, stopping short of causing damage or disruption to systems

Exploitation – confirm the existence of vulnerabilities, and leverage them to uncover further routes into the network; Commissum stops short of launching attacks that may risk the stability of the system

Analysis and reporting – correlate with known vulnerabilities, examine findings, inform client and reach conclusions on business impacts

Customer Benefits of Penetration Testing

Commissum will produce a report indicating the vulnerabilities discovered and the potential impact on your business. The report will highlight the following:

An executive summary for a non-technical audience

Recommendations for fixes of the vulnerabilities discovered

Cost-effective high-value improvements

Areas of risk to your business, with highlighting of their relative priority

To supplement the report, Commissum is also able to provide a follow-up presentation and interactive workshop. The aim is to work with the organisation to assist in development of a realistic, focused and prioritised plan of action to address the recommendations.